Stronger Security for Reusable Garbled Circuits, General Definitions - - PowerPoint PPT Presentation

Stronger Security for Reusable Garbled Circuits, General Definitions and Attacks

Shweta Agrawal IIT Madras

Garbled Circuits (Yao 86)

Garble Circuit C: Encode Input x:

Garble(C; R) Encode(x; R)

Secure for only one time use.

ˆ ˆ Privacy: , reveal "nothing but" ( ) C x C x

ˆ ˆ Decode: ( ) = ( ) C x C x

Reusable Garbled Circuits[GKPVZ13]

1

ˆ x

2

ˆ x

3

ˆ x

4

ˆ x

5

ˆ x

1 2 5 1 2 5

ˆ ˆ ˆ ˆ Privacy: , , ,..... reveal "nothing but" ( ), ( ),..... ( ) C x x x C x C x C x

1 2 5 1 2 5

ˆ ˆ ˆ ˆ ˆ ˆ Decode: ( ), ( ),..... ( ) = ( ), ( ),..... ( ) C x C x C x C x C x C x

First construction by Goldwasser et al in 2013

Functional Encryption (FE)

[Sahai-Waters’05, BSW’12]

Secret Key for Circuit C:

SKC

Encrypt Input x: CTx SKC, CTx → C(x) Privacy: Nothing more Decrypt:

KeyGen(SK, C) Enc(PK, x)

Œ Input/circuit hiding  Public/Private key Ž One/Many key Security

Suppose we:

• Restrict Adversary to make only one query [GKPVZ13]
• Restrict Adversary to make certain types of queries

[GVW15]

Then, have FE for all circuits

FE from Standard Assumptions State of Art

Suppose we:

• Restrict Adversary to make only one query [GKPVZ13]:

Reusable Garbled Circuits

• Restrict Adversary to make certain types of queries

[GVW15]: Predicate Encryption

FE from Standard Assumptions State of Art

Then, have FE for all circuits

Restricting Number of Queries: Reusable Garbled Circuits[GKPVZ13]

• Adversary can request any one key of any type
• Need circuit privacy, can be achieved in private key

setting

• Security breaks down for more than one circuit query, of

any type

• Can be generalized for bounded Q queries using GVW12.

CT grows multiplicatively as O(Q4)

Restricting Type of Queries: Predicate Encryption

• (“Weak Attribute Hiding”) Adversary can request any

number of “0-keys” i.e. Ci such that Ci(x0) = Ci(x1) =0

• May not request even single Ci s.t. Ci(x0) = Ci(x1) = 1
• Current systems [GVW15,AFV11] only achieve security in

weak game, even for inner product predicate encryption [AFV11].

Best Known

1 Queries 0 Queries Security Game Ciphertext query dep GKPVZ13

(STOC, 2013)

≤ 1 (Q with GVW12 compiler) 1 - Selective (+ GVW12)

• Mult. Q4

GVW15

(CRYPTO 2015)

Any Selective No

Our Results

1 Queries 0 Queries Security Game Ciphertext query dep GKPVZ13

(STOC, 2013)

≤ 1 (Q with GVW12 compiler) 1 - Selective (+ GVW12)

• Mult. Q4

GVW15

(CRYPTO 2015)

Any Selective No This

Any Fixed Q

Any Semi- Adaptive Additive Q2

Additionally…

• We show that prior constructions (AFV11, GVW15)

supporting only 0 keys are totally insecure if attacker allowed 1 keys

• Constant number of 1 keys sufficient to

completely break security

• Applies even to inner product functional

encryption (AFV11).

Attacks

• Three attacks:

– CT and SK structure: applies even to inner product encryption [AFV11] – Ciphertext evaluation method of [BGG+14] – “Lazy-OR” trick of GVW15 which leaks FHE noise

• Are they surprising?

Learning With Errors è Ciphertext

Distinguish “noisy inner products” from uniform

versus

A

e

+

s

A A

Unif

, ,

SIS Problem èSecret Key

Given matrix A, find “short” z such that A z = 0 mod q A z =

Many short vectors form a trapdoor for A Can be used to break LWE with matrix A

mod q

Decryption works

A e

+

s A z =

CT SK

when matrices match

Attack # 1

• Request keys for linearly dependent vectors
• Combine keys to get short vectors, hence trapdoor in certain

lattice A*

• Manipulate challenge CT to get LWE sample with matrix B*
• A* and B* only match for decrypting keys
• Lessons: Inherent vulnerability for “attribute hiding” scheme

with this structure

Attack # 2

• Regardless of circuit complexity, decryption leaks linear

function of noise terms.

• Given few decrypting keys, attacker can recover noise

terms, LWE secret, hence all attributes.

• Lessons: Inherent asymmetry between 0 and 1 queries in

this method of evaluation.

Construction

• Extend Predicate encryption to subsume

reusable garbled circuits.

• Yields new construction of reusable garbled circuits with

stronger security than GKPVZ13

– Support for 0 queries for free – Semi-adaptive rather than selective

• New techniques

– Handle 1 and 0 queries differently in simulation – Program public parameters based on key to be requested in future

• Extend to bounded key FE: better ciphertext size, weaker

security game

Construction

PE (GVW15) with one sided security PE + RGC with very selective security PE+RGC with semi- adaptive security New tricks plus more careful proof Very Selective to semi adaptive Extend to support Q arbitrary queries New method Very Selective: Adv must announce challenge message as well as function key request at start of game Semi-adaptive: Adv may see public parameters before outputting challenge

(Very) Selective to Semi-Adaptive Security

• Nest selectively secure scheme Sel within

adaptively secure FE for linear functions.

• Generate ciphertexts for very selective game
• n the fly

(Very) Selective to Semi-Adaptive

• Let LinFE be FE scheme so that

– Decrypt ( CT(x), SK(y)) = <x;y>

• ALS16 give construction of LinFE with adaptive security
• Structure of Sel ciphertext

Ci = (Ai + xi G)T s + noise May be written as inner product of vectors (Ai

T, GT, I ) and (s, xi s, noise)

• Encryptor provides LinFE CT for (s, xi s, noise)
• KeyGen provides both SK for:

– FeLin.SK (Ai

T, GT, I )

– Sel.SK (y).

• Decrypt

– Compute Sel.CT(x) via LinFE decryption – Compute Sel decryption using Sel.CT(x), Sel.SK (y)

(Very) Selective to Semi-Adaptive

Conclusion

• New construction of reusable garbled circuits with stronger

security

• New method for compiling very selective to semi adaptive

security for lwe based systems

• Attacks on existing predicate encryption systems: codify

barrier in generalization to FE

• Generalize to handle Q queries :better CT size than GVW12,

but weaker security game.

Thank you!